Metasploit Mac OS X Post Exploitation : Enumeration and Hash Dump

As always, Carlos Perez aka Dark Operator, member of the PaulDotCom crew and Metasploit developer, is inspired. A new set of post exploitation scripts have been developed and integrated in the Metasploit framework repository. These scripts permit you to gather interesting information’s on a Mac OS X target.

These Metasploit post exploitation scripts are supporting version 10.3, 10.4, 10.5, 10.6 and 10.7 of Mac OS X. For the moment are only working with a “shell” payload but Carlos is working on a version how is supporting a complete integration with meterpreter. Also Carlos is working on an iOS integration.

Mac OS X enum_osx post exploitation script

This script will permit you to gather available data types by automating the execution of the “/usr/sbin/system_profiler” command. Depending on your Mac OS X version, you will have more or less available data types. Here under some examples :

Same as for the hasdump script, if the Metasploit session is running with the Mac OS X root privileges, the SHA, LM and/or NTLM users accounts passwords hash dumps will be download.

All gathered informations are saved into a “logs/post/enum_osx/hostname-date” folder located into your “$HOME/.msf3” folder.

Metasploit enum_osx post exploitation

Mac OS X hashdump post exploitation script

As described above this script will focus only to gather the Mac OS X users accounts SHA, LM and/or NTLM passwords hash dumps, and download everything on the Metasploit station. All gathered information’s are saved into a “logs/post/enum_osx/hostname-date” folder located into your “$HOME/.msf3” folder.

Metasploit OS X hashdump post exploitation

To test these scripts you only need to create an executable payload for Mac OS X and follow these steps.

First create the payload with msfpayload and upload it to the targeted Mac OS X.